MFA and Password Manager Setup for Adelaide SMBs: Make Phishing Stop Working Against Your Business

Your bookkeeper gets an email that looks exactly like a Microsoft 365 password-expiry notice. She clicks through, types her password into the page, and gets on with her morning. Within the hour an attacker is sitting in her mailbox reading your supplier correspondence, setting up a forwarding rule, and waiting for an invoice. The single control that would have stopped this — a second factor the attacker cannot phish over the phone — is the one most Adelaide SMBs have not finished rolling out. MFA and Password Manager Setup from Cyber by Exegesis is the engagement that finishes it.

The problem

ACCC Scamwatch has consistently identified phishing as the top reported scam category in Australia. The phishing message itself is not the problem — the problem is what happens when one of your staff falls for it on a Tuesday afternoon. If the account is protected only by a password (even a strong one), the attacker is straight in. If the account is protected by SMS codes the staff member also typed into the fake page, the attacker is still straight in.

The ACSC Small Business Cyber Security Guide is clear: multi-factor authentication and a password manager are foundational controls for Australian SMBs. But “turn on MFA” hides a lot of decisions — which method, which accounts first, where the recovery codes live, what happens when someone loses their phone, and how you stop staff reusing the same password across personal and work logins. Most Adelaide SMBs we speak to have MFA on some accounts, password manager on some staff, and a recovery story that lives in one person’s head.

What MFA and Password Manager Setup does

Cyber by Exegesis runs a hands-on, fixed-scope engagement to finish the job across your most important accounts:

• Phishing-resistant MFA enabled on email (Microsoft 365 or Google Workspace), banking, super, accounting platform, and any remote-access logins — authenticator apps or hardware keys, not SMS where the platform supports better.
• A password manager deployed across staff with a shared-vault structure that matches how your business actually works (accounts, ops, owners).
• Recovery code storage guidance — printed, sealed, stored somewhere the business can reach if a phone is lost, without the codes ending up in the same mailbox the attacker would target.
• A 30-minute staff walkthrough on recognising phishing pages, including the specific Australian SMB lures (ATO, MyGov, Australia Post, Microsoft 365) reported through Scamwatch.
• A short written record of which accounts were hardened, which still need attention, and who holds the recovery material.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is preventive setup, not ongoing IT support. We set the controls, document them, and step back.

How it works

1. We confirm the engagement scope on a short call and list the accounts in scope — email tenant, banking, super, accounting, and any remote-access or admin logins.
2. We sit with each staff member (in person where possible in Adelaide, otherwise screen-share) and enrol them in MFA and the password manager.
3. We move existing passwords into the vault, retire the ones that have been reused across personal accounts, and generate fresh ones for the high-value logins.
4. We document recovery codes, seal them, and hand them to the business owner with a written note of where they should live.
5. We run the 30-minute phishing walkthrough and leave you with the written record and a 60-day review window.

Why this matters in Adelaide

Adelaide’s SMB base skews toward professional services, defence-supply-chain businesses, healthcare practices, and family-owned operators — sectors that hold customer PII and are squarely inside the OAIC Notifiable Data Breaches scheme once turnover passes the threshold or the sector trigger applies. A phished mailbox at an Adelaide accounting firm or medical practice is not just a nuisance; it is a likely eligible data breach with statutory notification obligations attached. Finishing the MFA and password manager rollout closes the door phishing depends on before that notification conversation starts.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC guidance for individuals and families (for staff personal account hygiene): https://www.cyber.gov.au/protect-yourself
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — MFA and Password Manager Setup (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens MFA and Password Manager Setup for Adelaide SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, staff count, and current email tenant — we will tell you when we are ready to take a brief from your business.